req.session.user is deleted while user is active











up vote
2
down vote

favorite
2












I set the session timeout to 30 minutes. While I am still active, req.session.user is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):



app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));

app.use(passport.initialize());
app.use(passport.session());

// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});


In login:



router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});


The verify code is like this:



isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}


I set the req.session.user to some object after I successfully logged in.



So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.



Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?










share|improve this question

















This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.


Looking for an answer drawing from credible and/or official sources.
















  • Please post the redis options. I suspect you set the expiration on the data.
    – niry
    2 days ago










  • I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
    – iPhoneJavaDev
    2 days ago










  • Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
    – iPhoneJavaDev
    2 days ago















up vote
2
down vote

favorite
2












I set the session timeout to 30 minutes. While I am still active, req.session.user is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):



app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));

app.use(passport.initialize());
app.use(passport.session());

// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});


In login:



router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});


The verify code is like this:



isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}


I set the req.session.user to some object after I successfully logged in.



So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.



Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?










share|improve this question

















This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.


Looking for an answer drawing from credible and/or official sources.
















  • Please post the redis options. I suspect you set the expiration on the data.
    – niry
    2 days ago










  • I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
    – iPhoneJavaDev
    2 days ago










  • Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
    – iPhoneJavaDev
    2 days ago













up vote
2
down vote

favorite
2









up vote
2
down vote

favorite
2






2





I set the session timeout to 30 minutes. While I am still active, req.session.user is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):



app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));

app.use(passport.initialize());
app.use(passport.session());

// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});


In login:



router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});


The verify code is like this:



isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}


I set the req.session.user to some object after I successfully logged in.



So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.



Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?










share|improve this question















I set the session timeout to 30 minutes. While I am still active, req.session.user is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):



app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));

app.use(passport.initialize());
app.use(passport.session());

// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});


In login:



router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});


The verify code is like this:



isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}


I set the req.session.user to some object after I successfully logged in.



So, after 30 minutes, req.session.user is deleted, but req.session is still there and keeps on incrementing the expiry date since I am still actively working on the page.



Why is req.session.user deleted after 30 minutes? I thought passport rides on the session by express?







node.js passport.js






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 9 at 1:46









Community

11




11










asked Nov 8 at 9:34









iPhoneJavaDev

2202730




2202730






This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.


Looking for an answer drawing from credible and/or official sources.








This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.


Looking for an answer drawing from credible and/or official sources.














  • Please post the redis options. I suspect you set the expiration on the data.
    – niry
    2 days ago










  • I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
    – iPhoneJavaDev
    2 days ago










  • Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
    – iPhoneJavaDev
    2 days ago


















  • Please post the redis options. I suspect you set the expiration on the data.
    – niry
    2 days ago










  • I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
    – iPhoneJavaDev
    2 days ago










  • Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
    – iPhoneJavaDev
    2 days ago
















Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago




Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago












I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago




I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago












Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago




Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago












1 Answer
1






active

oldest

votes

















up vote
-1
down vote













From: https://www.npmjs.com/package/connect-redis




ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.




You can avoid deleting keys by setting disableTTL:




disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)







share|improve this answer





















  • I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
    – iPhoneJavaDev
    2 days ago










  • Did you try actually it?
    – niry
    yesterday










  • At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
    – iPhoneJavaDev
    yesterday













Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














 

draft saved


draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53204922%2freq-session-user-is-deleted-while-user-is-active%23new-answer', 'question_page');
}
);

Post as a guest
































1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
-1
down vote













From: https://www.npmjs.com/package/connect-redis




ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.




You can avoid deleting keys by setting disableTTL:




disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)







share|improve this answer





















  • I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
    – iPhoneJavaDev
    2 days ago










  • Did you try actually it?
    – niry
    yesterday










  • At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
    – iPhoneJavaDev
    yesterday

















up vote
-1
down vote













From: https://www.npmjs.com/package/connect-redis




ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.




You can avoid deleting keys by setting disableTTL:




disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)







share|improve this answer





















  • I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
    – iPhoneJavaDev
    2 days ago










  • Did you try actually it?
    – niry
    yesterday










  • At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
    – iPhoneJavaDev
    yesterday















up vote
-1
down vote










up vote
-1
down vote









From: https://www.npmjs.com/package/connect-redis




ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.




You can avoid deleting keys by setting disableTTL:




disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)







share|improve this answer












From: https://www.npmjs.com/package/connect-redis




ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.




You can avoid deleting keys by setting disableTTL:




disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)








share|improve this answer












share|improve this answer



share|improve this answer










answered 2 days ago









niry

1,2991021




1,2991021












  • I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
    – iPhoneJavaDev
    2 days ago










  • Did you try actually it?
    – niry
    yesterday










  • At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
    – iPhoneJavaDev
    yesterday




















  • I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
    – iPhoneJavaDev
    2 days ago










  • Did you try actually it?
    – niry
    yesterday










  • At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
    – iPhoneJavaDev
    yesterday


















I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago




I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago












Did you try actually it?
– niry
yesterday




Did you try actually it?
– niry
yesterday












At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday






At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key sess:<sessionId>. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday




















 

draft saved


draft discarded



















































 


draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53204922%2freq-session-user-is-deleted-while-user-is-active%23new-answer', 'question_page');
}
);

Post as a guest




















































































Popular posts from this blog

Guess what letter conforming each word

Port of Spain

Run scheduled task as local user group (not BUILTIN)